Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done incorrectly, they end up bringing little more than a false sense of security. The bad news is that input validation is difficult. “White listing,” or identifying all possible strings accepted as input, is nearly impossible for all but the simplest of applications. “Black listing,” that is parsing the input for bad characters (such as ‘, ;,–, etc.) and dangerous strings, can be challenging as well. Though this is the most common method, it is often the subject of a great deal of challenges as attackers work through various encoding mechanisms, translations and other avoidance tricks to bypass such filters.
Over the last few years, a single source has emerged for best practices around input validation and other web security issues. The working group OWASP has some great techniques for various languages and server environments. Further, vendors such as Sun, Microsoft and others have created best practice articles and sample code for doing input validation for their servers and products. Check with their knowledge base or support teams for specific information about their platform and the security controls they recommend.
While application frameworks and web application firewalls are evolving as tools to help with these security problems, proper developer education and ongoing training of your development team about input validation remains the best solution.
This is somewhat misleading. Input validation is extremely important, but it’s not a complete defense to injection by itself. Check the OWASP top ten for an explanation for why we recommend output escaping and parameterized interfaces first, and input validation as a deadens in depth and to detect attacks in progress.
Jeff,
I agree with you that input validation is just the beginning and true appsec requires much more than this in real life. But, folks have to start somewhere. Thus, the pointer to input validation. This is a pretty common security objective that developers should undertake. Since it is so common, code samples and free resources abound to fix these issues. Thanks to your group, OWASP, much of the hard work for some of these developers has already been done.
I don’t think we claimed that input validation was the end-all, be-all of appsec. We just think it is a good (and likely 80/20) place to start.
As always, thanks for reading. In your case, thanks for all that OWASP does. We truly appreciate the group’s work and efforts to make the web a safer place!